One year later: Five lessons learned from the VA data breach

Massive breach drives security reforms governmentwide

1 2 3 Page 2
Page 2 of 3

1. A greater focus on data encryption within government

Since the VA breach, agencies across the government have begun paying more attention to encrypting data on laptops and other mobile devices, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

Pushing agencies in that direction is the White House's Office of Management and Budget (OMB), which shortly after the VA breach disclosure issued a memorandum to all agency heads recommending encryption of all sensitive agency data on mobile systems. The level of compliance with the directive is varied, but most agencies have either already purchased and implemented encryption tools on their mobile devices or are in the process of doing so, Pescatore said.

"Encryption is not the end of all problems, but it solves a very major problem" at government agencies, he said.

2. Stronger breach notification guidelines within agencies

Prior to the VA debacle, few agencies had any formal internal breach notification process, said Howard Schmidt, an independent security consultant and former White House cybersecurity adviser.

When breaches such as those at the VA occurred, there were few formal internal processes for notifying incident response teams and administrators. The VA incident "turned a tremendous amount of attention not just on the VA's own notification policies, but across the entire government," Schmidt said. As a result, more agencies today have formal policies and procedures for reporting and responding to all suspected and confirmed information breaches, he said. The OMB's guidelines now require, in most cases, that agencies notify management of data breaches immediately when they happen.

3. More attention to data retention, classification and minimization

The VA breach also led to a governmentwide review of how personally identifiable information is stored, accessed and protected, said Chris Fountain, CEO of SecureInfo Corp., a McLean, Va.-based security services provider to mainly government agencies.

Many agencies have undertaken or are planning to perform formal privacy impact assessments to understand how their agencies are collecting, using and protecting personal data, Fountain said. They are using such assessments to rate and prioritize their systems and then apply appropriate controls based on the amount of personal data each system contains, he said.

Many agencies are also trying to comply with an OMB directive issued in the wake of the VA breach that requires them to log all data extracts from databases holding sensitive information, Pescatore said. Under the directive, they are also required to verify that the data that has been extracted is erased within 90 days or is still being used for valid purposes, he said.

1 2 3 Page 2
Page 2 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon